No More Sacrificial Lambs

When I was at my former employer in the Office of the CTO, my main focus was the security strategy for their client solution organization, one which builds and sells millions upon millions of endpoints a year. My former employer had a moniker that went along with its commercial endpoints, labeling them the “most secure PC in the world”.

To this day I truly believe that they are, and it was up to me and a few others in the Office of the CTO to develop and nurture an ongoing security strategy to keep these endpoints the most secure.

I had several lines of strategy, but one of them was advanced threat protection (ATP). What I needed to know was this: what was my former employer going to do about advanced threats targeting our customers’ endpoints? They had gone with traditional antivirus (AV) for our products since the beginning, but we all knew that traditional AV was becoming increasingly ineffective against the multitude of new threats now facing enterprises and businesses worldwide.

The strategy set forth was simple: no more sacrificing customers’ endpoints for the greater good in order to create a signature. No more sacrificial lambs. My former employer wanted a solution which simply stopped the threat, advanced or commodity, from executing on the endpoint. Period.

And so my hunt began…

The 5 Types of Advanced Threat Protection

After an extensive period of research, I found that over 60 companies claimed to provide some sort of ATP defense. I narrowed my search and tested those products personally. (Yes, I actually tested them! More on this later). Of the 60+ companies which offered ATP, I was able to categorize them into five distinct buckets, which were:

• Endpoint Advanced Threat Protection – Companies that claim to proactively prevent advanced and commodity threats from executing on endpoints, without the use of signatures or the cloud.• Commodity Endpoint Antivirus – The legacy AV vendors that heavily rely on signatures. You know - the ones that say in order to get that lovely virus-proof jacket for your endpoints, you have to first sacrifice one endpoint for the greater good of the many.• Endpoint Detection and Response – These are the companies that hunt for targeted threats and indicators of compromise (IOCs). They detect that something is wrong and then respond to it. They focus on catching the stuff that commodity AV misses.• Network/ Sandboxing Advanced Threat Protection – The process where one places hardware in line with ingress and egress corporate traffic and inspects and convicts malicious PEs, OLEs and in some cases, exploits. These are good solutions, but my former employer was looking for a protective solution that resided on the endpoint (given that endpoints could jump off the corporate network and be utilized at home, during travel and essentially, anywhere).• Cloud Based Advanced Threat Protection – These are the vendors that heavily depend on the cloud to deliver their advanced threat protection. These solutions are dependent on a connection with the mother ship in order to convict a process, executable, and/or behavior.

CylancePROTECT® vs. 3,700 Pieces of Malware

So let the testing begin - but first, I needed malware. I needed the good stuff - the stuff that hadn’t yet been detected by the commodity players. What to do? Well, it just so happened that my former employer owned the best managed security service provider in the world (according to Gartner). So I got in touch with my contact who heads up their threat unit.

Here is how that conversation went:

“Hey, Uncle Bob” (not his real name - obviously). “Can you do me a favor? I need some commodity and advanced threat malware so we can test endpoint protection solutions.”

“Sure,” Uncle Bob says. “When are we testing?”

I vividly remember that day because, prior to then, I had never seen anything like what we both saw on that bright and sunny afternoon of March 6, 2015.

A little background here. Uncle Bob and I go way back, back to before the firewall was invented. And in all of our years in the security space, we have never seen anything like the results we got that day.

You see, Uncle Bob came up with over 3,700 pieces of malware (yes, that is the correct number) for us to test against each AV vendor. Of that total, 460 of them had never been seen by commodity antivirus.

Now, you might be asking yourself, how do I know that? Well, first of all, none of the commodity AV vendors detected them in my personal tests. And second of all, none of the 460 pieces of malware were on any of the various online multi-engine virus scanning sites at the time.

I know what you’re thinking. Just because these pieces of malware were not on online testing sites, doesn’t mean they were zero-days. But let’s go back to the results we saw on that day.

Uncle Bob and I had Cylance® and a commodity AV vendor installed and running side by side in comparison. When we unleashed the malware, Cylance instantly stopped (wait for it) all but 12 of over 3,700 pieces of malware. Let me state that again: Cylance stopped all but a paltry 12 out of 3,700 pieces of malware. And four of those twelve were zero-days.

Chad SkipperChad Skipper leads industry analysis and testing of Cylance’s flagship product CylancePROTECT®. Chad is a security technologist veteran focusing on a broad section of the Information Security space. Chad has contributed heavily within product development, engineering, security research, product marketing and product management. Chad is a public speaker of many security topics through a variety of venues and is co-author of 'Next-Generation Anti-Malware Testing for Dummies.' Whether at Symantec, Cisco, BlackStratus, Dell, and now Cylance, Chad has played a significant role in the security design and architecture of endpoint, network, cloud, and hosted security services, and in advancements in security prevention, security management, monitoring, testing and intelligence mitigation solutions. Chad holds a BS degree from Park University, Magna Cum Laude: Management/ Computer Information Systems.Author's Bio